1 /*++ NDK Version: 0098 2 3 Copyright (c) Alex Ionescu. All rights reserved. 4 5 Header Name: 6 7 pstypes.h 8 9 Abstract: 10 11 Type definitions for the Process Manager 12 13 Author: 14 15 Alex Ionescu (alexi@tinykrnl.org) - Updated - 27-Feb-2006 16 17 --*/ 18 19 #ifndef _PSTYPES_H 20 #define _PSTYPES_H 21 22 // 23 // Dependencies 24 // 25 #include <umtypes.h> 26 #include <ldrtypes.h> 27 #include <mmtypes.h> 28 #include <obtypes.h> 29 #include <rtltypes.h> 30 #ifndef NTOS_MODE_USER 31 #include <extypes.h> 32 #include <setypes.h> 33 #endif 34 35 #ifdef __cplusplus 36 extern "C" { 37 #endif 38 39 #ifndef NTOS_MODE_USER 40 41 // 42 // Kernel Exported Object Types 43 // 44 extern POBJECT_TYPE NTSYSAPI PsJobType; 45 46 #endif // !NTOS_MODE_USER 47 48 // 49 // KUSER_SHARED_DATA location in User Mode 50 // 51 #define USER_SHARED_DATA (0x7FFE0000) 52 53 // 54 // Global Flags 55 // 56 #define FLG_STOP_ON_EXCEPTION 0x00000001 57 #define FLG_SHOW_LDR_SNAPS 0x00000002 58 #define FLG_DEBUG_INITIAL_COMMAND 0x00000004 59 #define FLG_STOP_ON_HUNG_GUI 0x00000008 60 #define FLG_HEAP_ENABLE_TAIL_CHECK 0x00000010 61 #define FLG_HEAP_ENABLE_FREE_CHECK 0x00000020 62 #define FLG_HEAP_VALIDATE_PARAMETERS 0x00000040 63 #define FLG_HEAP_VALIDATE_ALL 0x00000080 64 #define FLG_APPLICATION_VERIFIER 0x00000100 65 #define FLG_POOL_ENABLE_TAGGING 0x00000400 66 #define FLG_HEAP_ENABLE_TAGGING 0x00000800 67 #define FLG_USER_STACK_TRACE_DB 0x00001000 68 #define FLG_KERNEL_STACK_TRACE_DB 0x00002000 69 #define FLG_MAINTAIN_OBJECT_TYPELIST 0x00004000 70 #define FLG_HEAP_ENABLE_TAG_BY_DLL 0x00008000 71 #define FLG_DISABLE_STACK_EXTENSION 0x00010000 72 #define FLG_ENABLE_CSRDEBUG 0x00020000 73 #define FLG_ENABLE_KDEBUG_SYMBOL_LOAD 0x00040000 74 #define FLG_DISABLE_PAGE_KERNEL_STACKS 0x00080000 75 #if (NTDDI_VERSION < NTDDI_WINXP) 76 #define FLG_HEAP_ENABLE_CALL_TRACING 0x00100000 77 #else 78 #define FLG_ENABLE_SYSTEM_CRIT_BREAKS 0x00100000 79 #endif 80 #define FLG_HEAP_DISABLE_COALESCING 0x00200000 81 #define FLG_ENABLE_CLOSE_EXCEPTIONS 0x00400000 82 #define FLG_ENABLE_EXCEPTION_LOGGING 0x00800000 83 #define FLG_ENABLE_HANDLE_TYPE_TAGGING 0x01000000 84 #define FLG_HEAP_PAGE_ALLOCS 0x02000000 85 #define FLG_DEBUG_INITIAL_COMMAND_EX 0x04000000 86 #define FLG_VALID_BITS 0x07FFFFFF 87 88 // 89 // Flags for NtCreateProcessEx 90 // 91 #define PROCESS_CREATE_FLAGS_BREAKAWAY 0x00000001 92 #define PROCESS_CREATE_FLAGS_NO_DEBUG_INHERIT 0x00000002 93 #define PROCESS_CREATE_FLAGS_INHERIT_HANDLES 0x00000004 94 #define PROCESS_CREATE_FLAGS_OVERRIDE_ADDRESS_SPACE 0x00000008 95 #define PROCESS_CREATE_FLAGS_LARGE_PAGES 0x00000010 96 #define PROCESS_CREATE_FLAGS_ALL_LARGE_PAGE_FLAGS PROCESS_CREATE_FLAGS_LARGE_PAGES 97 #define PROCESS_CREATE_FLAGS_LEGAL_MASK (PROCESS_CREATE_FLAGS_BREAKAWAY | \ 98 PROCESS_CREATE_FLAGS_NO_DEBUG_INHERIT | \ 99 PROCESS_CREATE_FLAGS_INHERIT_HANDLES | \ 100 PROCESS_CREATE_FLAGS_OVERRIDE_ADDRESS_SPACE | \ 101 PROCESS_CREATE_FLAGS_ALL_LARGE_PAGE_FLAGS) 102 103 // 104 // Process priority classes 105 // 106 #define PROCESS_PRIORITY_CLASS_INVALID 0 107 #define PROCESS_PRIORITY_CLASS_IDLE 1 108 #define PROCESS_PRIORITY_CLASS_NORMAL 2 109 #define PROCESS_PRIORITY_CLASS_HIGH 3 110 #define PROCESS_PRIORITY_CLASS_REALTIME 4 111 #define PROCESS_PRIORITY_CLASS_BELOW_NORMAL 5 112 #define PROCESS_PRIORITY_CLASS_ABOVE_NORMAL 6 113 114 // 115 // Process base priorities 116 // 117 #define PROCESS_PRIORITY_IDLE 3 118 #define PROCESS_PRIORITY_NORMAL 8 119 #define PROCESS_PRIORITY_NORMAL_FOREGROUND 9 120 121 // 122 // Process memory priorities 123 // 124 #define MEMORY_PRIORITY_BACKGROUND 0 125 #define MEMORY_PRIORITY_UNKNOWN 1 126 #define MEMORY_PRIORITY_FOREGROUND 2 127 128 // 129 // Process Priority Separation Values (OR) 130 // 131 #define PSP_DEFAULT_QUANTUMS 0x00 132 #define PSP_VARIABLE_QUANTUMS 0x04 133 #define PSP_FIXED_QUANTUMS 0x08 134 #define PSP_LONG_QUANTUMS 0x10 135 #define PSP_SHORT_QUANTUMS 0x20 136 137 #ifndef NTOS_MODE_USER 138 // 139 // Thread Access Types 140 // 141 #define THREAD_QUERY_INFORMATION 0x0040 142 #define THREAD_SET_THREAD_TOKEN 0x0080 143 #define THREAD_IMPERSONATE 0x0100 144 #define THREAD_DIRECT_IMPERSONATION 0x0200 145 146 // 147 // Process Access Types 148 // 149 #define PROCESS_TERMINATE 0x0001 150 #define PROCESS_CREATE_THREAD 0x0002 151 #define PROCESS_SET_SESSIONID 0x0004 152 #define PROCESS_VM_OPERATION 0x0008 153 #define PROCESS_VM_READ 0x0010 154 #define PROCESS_VM_WRITE 0x0020 155 #define PROCESS_CREATE_PROCESS 0x0080 156 #define PROCESS_SET_QUOTA 0x0100 157 #define PROCESS_SET_INFORMATION 0x0200 158 #define PROCESS_QUERY_INFORMATION 0x0400 159 #define PROCESS_SUSPEND_RESUME 0x0800 160 #define PROCESS_QUERY_LIMITED_INFORMATION 0x1000 161 #if (NTDDI_VERSION >= NTDDI_LONGHORN) 162 #define PROCESS_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | \ 163 SYNCHRONIZE | \ 164 0xFFFF) 165 #else 166 #define PROCESS_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | \ 167 SYNCHRONIZE | \ 168 0xFFF) 169 #endif 170 171 // 172 // Thread Base Priorities 173 // 174 #define THREAD_BASE_PRIORITY_LOWRT 15 175 #define THREAD_BASE_PRIORITY_MAX 2 176 #define THREAD_BASE_PRIORITY_MIN -2 177 #define THREAD_BASE_PRIORITY_IDLE -15 178 179 // 180 // TLS Slots 181 // 182 #define TLS_MINIMUM_AVAILABLE 64 183 184 // 185 // TEB Active Frame Flags 186 // 187 #define TEB_ACTIVE_FRAME_CONTEXT_FLAG_EXTENDED 0x1 188 189 // 190 // Job Access Types 191 // 192 #define JOB_OBJECT_ASSIGN_PROCESS 0x1 193 #define JOB_OBJECT_SET_ATTRIBUTES 0x2 194 #define JOB_OBJECT_QUERY 0x4 195 #define JOB_OBJECT_TERMINATE 0x8 196 #define JOB_OBJECT_SET_SECURITY_ATTRIBUTES 0x10 197 #define JOB_OBJECT_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | \ 198 SYNCHRONIZE | \ 199 31) 200 201 // 202 // Job Limit Flags 203 // 204 #define JOB_OBJECT_LIMIT_WORKINGSET 0x1 205 #define JOB_OBJECT_LIMIT_PROCESS_TIME 0x2 206 #define JOB_OBJECT_LIMIT_JOB_TIME 0x4 207 #define JOB_OBJECT_LIMIT_ACTIVE_PROCESS 0x8 208 #define JOB_OBJECT_LIMIT_AFFINITY 0x10 209 #define JOB_OBJECT_LIMIT_PRIORITY_CLASS 0x20 210 #define JOB_OBJECT_LIMIT_PRESERVE_JOB_TIME 0x40 211 #define JOB_OBJECT_LIMIT_SCHEDULING_CLASS 0x80 212 #define JOB_OBJECT_LIMIT_PROCESS_MEMORY 0x100 213 #define JOB_OBJECT_LIMIT_JOB_MEMORY 0x200 214 #define JOB_OBJECT_LIMIT_DIE_ON_UNHANDLED_EXCEPTION 0x400 215 #define JOB_OBJECT_LIMIT_BREAKAWAY_OK 0x800 216 #define JOB_OBJECT_LIMIT_SILENT_BREAKAWAY_OK 0x1000 217 #define JOB_OBJECT_LIMIT_KILL_ON_JOB_CLOSE 0x2000 218 219 // 220 // Cross Thread Flags 221 // 222 #define CT_TERMINATED_BIT 0x1 223 #define CT_DEAD_THREAD_BIT 0x2 224 #define CT_HIDE_FROM_DEBUGGER_BIT 0x4 225 #define CT_ACTIVE_IMPERSONATION_INFO_BIT 0x8 226 #define CT_SYSTEM_THREAD_BIT 0x10 227 #define CT_HARD_ERRORS_ARE_DISABLED_BIT 0x20 228 #define CT_BREAK_ON_TERMINATION_BIT 0x40 229 #define CT_SKIP_CREATION_MSG_BIT 0x80 230 #define CT_SKIP_TERMINATION_MSG_BIT 0x100 231 232 // 233 // Same Thread Passive Flags 234 // 235 #define STP_ACTIVE_EX_WORKER_BIT 0x1 236 #define STP_EX_WORKER_CAN_WAIT_USER_BIT 0x2 237 #define STP_MEMORY_MAKER_BIT 0x4 238 #define STP_KEYED_EVENT_IN_USE_BIT 0x8 239 240 // 241 // Same Thread APC Flags 242 // 243 #define STA_LPC_RECEIVED_MSG_ID_VALID_BIT 0x1 244 #define STA_LPC_EXIT_THREAD_CALLED_BIT 0x2 245 #define STA_ADDRESS_SPACE_OWNER_BIT 0x4 246 #define STA_OWNS_WORKING_SET_BITS 0x1F8 247 248 // 249 // Kernel Process flags (maybe in ketypes.h?) 250 // 251 #define KPSF_AUTO_ALIGNMENT_BIT 0 252 #define KPSF_DISABLE_BOOST_BIT 1 253 254 // 255 // Process Flags 256 // 257 #define PSF_CREATE_REPORTED_BIT 0x1 258 #define PSF_NO_DEBUG_INHERIT_BIT 0x2 259 #define PSF_PROCESS_EXITING_BIT 0x4 260 #define PSF_PROCESS_DELETE_BIT 0x8 261 #define PSF_WOW64_SPLIT_PAGES_BIT 0x10 262 #define PSF_VM_DELETED_BIT 0x20 263 #define PSF_OUTSWAP_ENABLED_BIT 0x40 264 #define PSF_OUTSWAPPED_BIT 0x80 265 #define PSF_FORK_FAILED_BIT 0x100 266 #define PSF_WOW64_VA_SPACE_4GB_BIT 0x200 267 #define PSF_ADDRESS_SPACE_INITIALIZED_BIT 0x400 268 #define PSF_SET_TIMER_RESOLUTION_BIT 0x1000 269 #define PSF_BREAK_ON_TERMINATION_BIT 0x2000 270 #define PSF_SESSION_CREATION_UNDERWAY_BIT 0x4000 271 #define PSF_WRITE_WATCH_BIT 0x8000 272 #define PSF_PROCESS_IN_SESSION_BIT 0x10000 273 #define PSF_OVERRIDE_ADDRESS_SPACE_BIT 0x20000 274 #define PSF_HAS_ADDRESS_SPACE_BIT 0x40000 275 #define PSF_LAUNCH_PREFETCHED_BIT 0x80000 276 #define PSF_INJECT_INPAGE_ERRORS_BIT 0x100000 277 #define PSF_VM_TOP_DOWN_BIT 0x200000 278 #define PSF_IMAGE_NOTIFY_DONE_BIT 0x400000 279 #define PSF_PDE_UPDATE_NEEDED_BIT 0x800000 280 #define PSF_VDM_ALLOWED_BIT 0x1000000 281 #define PSF_SWAP_ALLOWED_BIT 0x2000000 282 #define PSF_CREATE_FAILED_BIT 0x4000000 283 #define PSF_DEFAULT_IO_PRIORITY_BIT 0x8000000 284 285 // 286 // Vista Process Flags 287 // 288 #define PSF2_PROTECTED_BIT 0x800 289 #endif 290 291 // 292 // TLS/FLS Defines 293 // 294 #define TLS_EXPANSION_SLOTS 1024 295 296 #ifdef NTOS_MODE_USER 297 // 298 // Thread Native Base Priorities 299 // 300 #define LOW_PRIORITY 0 301 #define LOW_REALTIME_PRIORITY 16 302 #define HIGH_PRIORITY 31 303 #define MAXIMUM_PRIORITY 32 304 305 // 306 // Current Process/Thread built-in 'special' handles 307 // 308 #define NtCurrentProcess() ((HANDLE)(LONG_PTR)-1) 309 #define ZwCurrentProcess() NtCurrentProcess() 310 #define NtCurrentThread() ((HANDLE)(LONG_PTR)-2) 311 #define ZwCurrentThread() NtCurrentThread() 312 313 // 314 // Process/Thread/Job Information Classes for NtQueryInformationProcess/Thread/Job 315 // 316 typedef enum _PROCESSINFOCLASS 317 { 318 ProcessBasicInformation, 319 ProcessQuotaLimits, 320 ProcessIoCounters, 321 ProcessVmCounters, 322 ProcessTimes, 323 ProcessBasePriority, 324 ProcessRaisePriority, 325 ProcessDebugPort, 326 ProcessExceptionPort, 327 ProcessAccessToken, 328 ProcessLdtInformation, 329 ProcessLdtSize, 330 ProcessDefaultHardErrorMode, 331 ProcessIoPortHandlers, 332 ProcessPooledUsageAndLimits, 333 ProcessWorkingSetWatch, 334 ProcessUserModeIOPL, 335 ProcessEnableAlignmentFaultFixup, 336 ProcessPriorityClass, 337 ProcessWx86Information, 338 ProcessHandleCount, 339 ProcessAffinityMask, 340 ProcessPriorityBoost, 341 ProcessDeviceMap, 342 ProcessSessionInformation, 343 ProcessForegroundInformation, 344 ProcessWow64Information, 345 ProcessImageFileName, 346 ProcessLUIDDeviceMapsEnabled, 347 ProcessBreakOnTermination, 348 ProcessDebugObjectHandle, 349 ProcessDebugFlags, 350 ProcessHandleTracing, 351 ProcessIoPriority, 352 ProcessExecuteFlags, 353 ProcessTlsInformation, 354 ProcessCookie, 355 ProcessImageInformation, 356 ProcessCycleTime, 357 ProcessPagePriority, 358 ProcessInstrumentationCallback, 359 ProcessThreadStackAllocation, 360 ProcessWorkingSetWatchEx, 361 ProcessImageFileNameWin32, 362 ProcessImageFileMapping, 363 ProcessAffinityUpdateMode, 364 ProcessMemoryAllocationMode, 365 MaxProcessInfoClass 366 } PROCESSINFOCLASS; 367 368 typedef enum _THREADINFOCLASS 369 { 370 ThreadBasicInformation, 371 ThreadTimes, 372 ThreadPriority, 373 ThreadBasePriority, 374 ThreadAffinityMask, 375 ThreadImpersonationToken, 376 ThreadDescriptorTableEntry, 377 ThreadEnableAlignmentFaultFixup, 378 ThreadEventPair_Reusable, 379 ThreadQuerySetWin32StartAddress, 380 ThreadZeroTlsCell, 381 ThreadPerformanceCount, 382 ThreadAmILastThread, 383 ThreadIdealProcessor, 384 ThreadPriorityBoost, 385 ThreadSetTlsArrayAddress, 386 ThreadIsIoPending, 387 ThreadHideFromDebugger, 388 ThreadBreakOnTermination, 389 ThreadSwitchLegacyState, 390 ThreadIsTerminated, 391 ThreadLastSystemCall, 392 ThreadIoPriority, 393 ThreadCycleTime, 394 ThreadPagePriority, 395 ThreadActualBasePriority, 396 ThreadTebInformation, 397 ThreadCSwitchMon, 398 MaxThreadInfoClass 399 } THREADINFOCLASS; 400 401 #else 402 403 typedef enum _PSPROCESSPRIORITYMODE 404 { 405 PsProcessPriorityForeground, 406 PsProcessPriorityBackground, 407 PsProcessPrioritySpinning 408 } PSPROCESSPRIORITYMODE; 409 410 typedef enum _JOBOBJECTINFOCLASS 411 { 412 JobObjectBasicAccountingInformation = 1, 413 JobObjectBasicLimitInformation, 414 JobObjectBasicProcessIdList, 415 JobObjectBasicUIRestrictions, 416 JobObjectSecurityLimitInformation, 417 JobObjectEndOfJobTimeInformation, 418 JobObjectAssociateCompletionPortInformation, 419 JobObjectBasicAndIoAccountingInformation, 420 JobObjectExtendedLimitInformation, 421 JobObjectJobSetInformation, 422 MaxJobObjectInfoClass 423 } JOBOBJECTINFOCLASS; 424 425 // 426 // Power Event Events for Win32K Power Event Callback 427 // 428 typedef enum _PSPOWEREVENTTYPE 429 { 430 PsW32FullWake = 0, 431 PsW32EventCode = 1, 432 PsW32PowerPolicyChanged = 2, 433 PsW32SystemPowerState = 3, 434 PsW32SystemTime = 4, 435 PsW32DisplayState = 5, 436 PsW32CapabilitiesChanged = 6, 437 PsW32SetStateFailed = 7, 438 PsW32GdiOff = 8, 439 PsW32GdiOn = 9, 440 PsW32GdiPrepareResumeUI = 10, 441 PsW32GdiOffRequest = 11, 442 PsW32MonitorOff = 12, 443 } PSPOWEREVENTTYPE; 444 445 // 446 // Power State Tasks for Win32K Power State Callback 447 // 448 typedef enum _POWERSTATETASK 449 { 450 PowerState_BlockSessionSwitch = 0, 451 PowerState_Init = 1, 452 PowerState_QueryApps = 2, 453 PowerState_QueryServices = 3, 454 PowerState_QueryAppsFailed = 4, 455 PowerState_QueryServicesFailed = 5, 456 PowerState_SuspendApps = 6, 457 PowerState_SuspendServices = 7, 458 PowerState_ShowUI = 8, 459 PowerState_NotifyWL = 9, 460 PowerState_ResumeApps = 10, 461 PowerState_ResumeServices = 11, 462 PowerState_UnBlockSessionSwitch = 12, 463 PowerState_End = 13, 464 PowerState_BlockInput = 14, 465 PowerState_UnblockInput = 15, 466 } POWERSTATETASK; 467 468 // 469 // Win32K Job Callback Types 470 // 471 typedef enum _PSW32JOBCALLOUTTYPE 472 { 473 PsW32JobCalloutSetInformation = 0, 474 PsW32JobCalloutAddProcess = 1, 475 PsW32JobCalloutTerminate = 2, 476 } PSW32JOBCALLOUTTYPE; 477 478 // 479 // Win32K Thread Callback Types 480 // 481 typedef enum _PSW32THREADCALLOUTTYPE 482 { 483 PsW32ThreadCalloutInitialize, 484 PsW32ThreadCalloutExit, 485 } PSW32THREADCALLOUTTYPE; 486 487 // 488 // Declare empty structure definitions so that they may be referenced by 489 // routines before they are defined 490 // 491 struct _W32THREAD; 492 struct _W32PROCESS; 493 //struct _ETHREAD; 494 struct _WIN32_POWEREVENT_PARAMETERS; 495 struct _WIN32_POWERSTATE_PARAMETERS; 496 struct _WIN32_JOBCALLOUT_PARAMETERS; 497 struct _WIN32_OPENMETHOD_PARAMETERS; 498 struct _WIN32_OKAYTOCLOSEMETHOD_PARAMETERS; 499 struct _WIN32_CLOSEMETHOD_PARAMETERS; 500 struct _WIN32_DELETEMETHOD_PARAMETERS; 501 struct _WIN32_PARSEMETHOD_PARAMETERS; 502 503 // 504 // Win32K Process and Thread Callbacks 505 // 506 typedef 507 NTSTATUS 508 (NTAPI *PKWIN32_PROCESS_CALLOUT)( 509 _In_ struct _EPROCESS *Process, 510 _In_ BOOLEAN Create 511 ); 512 513 typedef 514 NTSTATUS 515 (NTAPI *PKWIN32_THREAD_CALLOUT)( 516 _In_ struct _ETHREAD *Thread, 517 _In_ PSW32THREADCALLOUTTYPE Type 518 ); 519 520 typedef 521 NTSTATUS 522 (NTAPI *PKWIN32_GLOBALATOMTABLE_CALLOUT)( 523 VOID 524 ); 525 526 typedef 527 NTSTATUS 528 (NTAPI *PKWIN32_POWEREVENT_CALLOUT)( 529 _In_ struct _WIN32_POWEREVENT_PARAMETERS *Parameters 530 ); 531 532 typedef 533 NTSTATUS 534 (NTAPI *PKWIN32_POWERSTATE_CALLOUT)( 535 _In_ struct _WIN32_POWERSTATE_PARAMETERS *Parameters 536 ); 537 538 typedef 539 NTSTATUS 540 (NTAPI *PKWIN32_JOB_CALLOUT)( 541 _In_ struct _WIN32_JOBCALLOUT_PARAMETERS *Parameters 542 ); 543 544 typedef 545 NTSTATUS 546 (NTAPI *PGDI_BATCHFLUSH_ROUTINE)( 547 VOID 548 ); 549 550 typedef 551 NTSTATUS 552 (NTAPI *PKWIN32_OPENMETHOD_CALLOUT)( 553 _In_ struct _WIN32_OPENMETHOD_PARAMETERS *Parameters 554 ); 555 556 typedef 557 NTSTATUS 558 (NTAPI *PKWIN32_OKTOCLOSEMETHOD_CALLOUT)( 559 _In_ struct _WIN32_OKAYTOCLOSEMETHOD_PARAMETERS *Parameters 560 ); 561 562 typedef 563 NTSTATUS 564 (NTAPI *PKWIN32_CLOSEMETHOD_CALLOUT)( 565 _In_ struct _WIN32_CLOSEMETHOD_PARAMETERS *Parameters 566 ); 567 568 typedef 569 NTSTATUS 570 (NTAPI *PKWIN32_DELETEMETHOD_CALLOUT)( 571 _In_ struct _WIN32_DELETEMETHOD_PARAMETERS *Parameters 572 ); 573 574 typedef 575 NTSTATUS 576 (NTAPI *PKWIN32_PARSEMETHOD_CALLOUT)( 577 _In_ struct _WIN32_PARSEMETHOD_PARAMETERS *Parameters 578 ); 579 580 typedef 581 NTSTATUS 582 (NTAPI *PKWIN32_SESSION_CALLOUT)( 583 _In_ PVOID Parameter 584 ); 585 586 #if (NTDDI_VERSION >= NTDDI_LONGHORN) 587 typedef 588 NTSTATUS 589 (NTAPI *PKWIN32_WIN32DATACOLLECTION_CALLOUT)( 590 _In_ struct _EPROCESS *Process, 591 _In_ PVOID Callback, 592 _In_ PVOID Context 593 ); 594 #endif 595 596 // 597 // Lego Callback 598 // 599 typedef 600 VOID 601 (NTAPI *PLEGO_NOTIFY_ROUTINE)( 602 _In_ PKTHREAD Thread 603 ); 604 605 #endif 606 607 typedef NTSTATUS 608 (NTAPI *PPOST_PROCESS_INIT_ROUTINE)( 609 VOID 610 ); 611 612 // 613 // Descriptor Table Entry Definition 614 // 615 #if (_M_IX86) 616 #define _DESCRIPTOR_TABLE_ENTRY_DEFINED 617 typedef struct _DESCRIPTOR_TABLE_ENTRY 618 { 619 ULONG Selector; 620 LDT_ENTRY Descriptor; 621 } DESCRIPTOR_TABLE_ENTRY, *PDESCRIPTOR_TABLE_ENTRY; 622 #endif 623 624 // 625 // PEB Lock Routine 626 // 627 typedef VOID 628 (NTAPI *PPEBLOCKROUTINE)( 629 PVOID PebLock 630 ); 631 632 // 633 // PEB Free Block Descriptor 634 // 635 typedef struct _PEB_FREE_BLOCK 636 { 637 struct _PEB_FREE_BLOCK* Next; 638 ULONG Size; 639 } PEB_FREE_BLOCK, *PPEB_FREE_BLOCK; 640 641 // 642 // Initial PEB 643 // 644 typedef struct _INITIAL_PEB 645 { 646 BOOLEAN InheritedAddressSpace; 647 BOOLEAN ReadImageFileExecOptions; 648 BOOLEAN BeingDebugged; 649 union 650 { 651 BOOLEAN BitField; 652 #if (NTDDI_VERSION >= NTDDI_WS03) 653 struct 654 { 655 BOOLEAN ImageUsesLargePages:1; 656 #if (NTDDI_VERSION >= NTDDI_LONGHORN) 657 BOOLEAN IsProtectedProcess:1; 658 BOOLEAN IsLegacyProcess:1; 659 BOOLEAN SpareBits:5; 660 #else 661 BOOLEAN SpareBits:7; 662 #endif 663 }; 664 #else 665 BOOLEAN SpareBool; 666 #endif 667 }; 668 HANDLE Mutant; 669 } INITIAL_PEB, *PINITIAL_PEB; 670 671 // 672 // Initial TEB 673 // 674 typedef struct _INITIAL_TEB 675 { 676 PVOID PreviousStackBase; 677 PVOID PreviousStackLimit; 678 PVOID StackBase; 679 PVOID StackLimit; 680 PVOID AllocatedStackBase; 681 } INITIAL_TEB, *PINITIAL_TEB; 682 683 // 684 // TEB Active Frame Structures 685 // 686 typedef struct _TEB_ACTIVE_FRAME_CONTEXT 687 { 688 ULONG Flags; 689 LPSTR FrameName; 690 } TEB_ACTIVE_FRAME_CONTEXT, *PTEB_ACTIVE_FRAME_CONTEXT; 691 typedef const struct _TEB_ACTIVE_FRAME_CONTEXT *PCTEB_ACTIVE_FRAME_CONTEXT; 692 693 typedef struct _TEB_ACTIVE_FRAME_CONTEXT_EX 694 { 695 TEB_ACTIVE_FRAME_CONTEXT BasicContext; 696 PCSTR SourceLocation; 697 } TEB_ACTIVE_FRAME_CONTEXT_EX, *PTEB_ACTIVE_FRAME_CONTEXT_EX; 698 typedef const struct _TEB_ACTIVE_FRAME_CONTEXT_EX *PCTEB_ACTIVE_FRAME_CONTEXT_EX; 699 700 typedef struct _TEB_ACTIVE_FRAME 701 { 702 ULONG Flags; 703 struct _TEB_ACTIVE_FRAME *Previous; 704 PCTEB_ACTIVE_FRAME_CONTEXT Context; 705 } TEB_ACTIVE_FRAME, *PTEB_ACTIVE_FRAME; 706 typedef const struct _TEB_ACTIVE_FRAME *PCTEB_ACTIVE_FRAME; 707 708 typedef struct _TEB_ACTIVE_FRAME_EX 709 { 710 TEB_ACTIVE_FRAME BasicFrame; 711 PVOID ExtensionIdentifier; 712 } TEB_ACTIVE_FRAME_EX, *PTEB_ACTIVE_FRAME_EX; 713 typedef const struct _TEB_ACTIVE_FRAME_EX *PCTEB_ACTIVE_FRAME_EX; 714 715 typedef struct _CLIENT_ID32 716 { 717 ULONG UniqueProcess; 718 ULONG UniqueThread; 719 } CLIENT_ID32, *PCLIENT_ID32; 720 721 typedef struct _CLIENT_ID64 722 { 723 ULONG64 UniqueProcess; 724 ULONG64 UniqueThread; 725 } CLIENT_ID64, *PCLIENT_ID64; 726 727 #if (NTDDI_VERSION < NTDDI_WS03) 728 typedef struct _Wx86ThreadState 729 { 730 PULONG CallBx86Eip; 731 PVOID DeallocationCpu; 732 BOOLEAN UseKnownWx86Dll; 733 CHAR OleStubInvoked; 734 } Wx86ThreadState, *PWx86ThreadState; 735 #endif 736 737 // 738 // PEB.AppCompatFlags 739 // Tag FLAG_MASK_KERNEL 740 // 741 typedef enum _APPCOMPAT_FLAGS 742 { 743 GetShortPathNameNT4 = 0x1, 744 GetDiskFreeSpace2GB = 0x8, 745 FTMFromCurrentAPI = 0x20, 746 DisallowCOMBindingNotifications = 0x40, 747 Ole32ValidatePointers = 0x80, 748 DisableCicero = 0x100, 749 Ole32EnableAsyncDocFile = 0x200, 750 EnableLegacyExceptionHandlinginOLE = 0x400, 751 DisableAdvanceRPCClientHardening = 0x800, 752 DisableMaybeNULLSizeisConsistencycheck = 0x1000, 753 DisableAdvancedRPCrangeCheck = 0x4000, 754 EnableLegacyExceptionHandlingInRPC = 0x8000, 755 EnableLegacyNTFSFlagsForDocfileOpens = 0x10000, 756 DisableNDRIIDConsistencyCheck = 0x20000, 757 UserDisableForwarderPatch = 0x40000, 758 DisableNewWMPAINTDispatchInOLE = 0x100000, 759 DoNotAddToCache = 0x80000000, 760 } APPCOMPAT_FLAGS; 761 762 763 // 764 // PEB.AppCompatFlagsUser.LowPart 765 // Tag FLAG_MASK_USER 766 // 767 typedef enum _APPCOMPAT_USERFLAGS 768 { 769 DisableAnimation = 0x1, 770 DisableKeyboardCues = 0x2, 771 No50StylebitsInSetWindowLong = 0x4, 772 DisableDrawPatternRect = 0x8, 773 MSShellDialog = 0x10, 774 NoDDETerminateDuringDestroy = 0x20, 775 GiveupForeground = 0x40, 776 AlwaysActiveMenus = 0x80, 777 NoMouseHideInEdit = 0x100, 778 NoGdiBatching = 0x200, 779 FontSubstitution = 0x400, 780 No50StylebitsInCreateWindow = 0x800, 781 NoCustomPaperSizes = 0x1000, 782 AllTheDdeHacks = 0x2000, 783 UseDefaultCharset = 0x4000, 784 NoCharDeadKey = 0x8000, 785 NoTryExceptForWindowProc = 0x10000, 786 NoInitInsertReplaceFlags = 0x20000, 787 NoDdeSync = 0x40000, 788 NoGhost = 0x80000, 789 NoDdeAsyncReg = 0x100000, 790 StrictLLHook = 0x200000, 791 NoShadow = 0x400000, 792 NoTimerCallbackProtection = 0x1000000, 793 HighDpiAware = 0x2000000, 794 OpenGLEmfAware = 0x4000000, 795 EnableTransparantBltMirror = 0x8000000, 796 NoPaddedBorder = 0x10000000, 797 ForceLegacyResizeCM = 0x20000000, 798 HardwareAudioMixer = 0x40000000, 799 DisableSWCursorOnMoveSize = 0x80000000, 800 #if 0 801 DisableWindowArrangement = 0x100000000, 802 ReorderWaveForCommunications = 0x200000000, 803 NoGdiHwAcceleration = 0x400000000, 804 #endif 805 } APPCOMPAT_USERFLAGS; 806 807 // 808 // PEB.AppCompatFlagsUser.HighPart 809 // Tag FLAG_MASK_USER 810 // 811 typedef enum _APPCOMPAT_USERFLAGS_HIGHPART 812 { 813 DisableWindowArrangement = 0x1, 814 ReorderWaveForCommunications = 0x2, 815 NoGdiHwAcceleration = 0x4, 816 } APPCOMPAT_USERFLAGS_HIGHPART; 817 818 // 819 // Process Environment Block (PEB) 820 // Thread Environment Block (TEB) 821 // 822 #include "peb_teb.h" 823 824 #ifdef _WIN64 825 // 826 // Explicit 32 bit PEB/TEB 827 // 828 #define EXPLICIT_32BIT 829 #include "peb_teb.h" 830 #undef EXPLICIT_32BIT 831 832 // 833 // Explicit 64 bit PEB/TEB 834 // 835 #define EXPLICIT_64BIT 836 #include "peb_teb.h" 837 #undef EXPLICIT_64BIT 838 #endif 839 840 #ifdef NTOS_MODE_USER 841 842 // 843 // Process Information Structures for NtQueryProcessInformation 844 // 845 typedef struct _PROCESS_BASIC_INFORMATION 846 { 847 NTSTATUS ExitStatus; 848 PPEB PebBaseAddress; 849 ULONG_PTR AffinityMask; 850 KPRIORITY BasePriority; 851 ULONG_PTR UniqueProcessId; 852 ULONG_PTR InheritedFromUniqueProcessId; 853 } PROCESS_BASIC_INFORMATION, *PPROCESS_BASIC_INFORMATION; 854 855 typedef struct _PROCESS_ACCESS_TOKEN 856 { 857 HANDLE Token; 858 HANDLE Thread; 859 } PROCESS_ACCESS_TOKEN, *PPROCESS_ACCESS_TOKEN; 860 861 typedef struct _PROCESS_DEVICEMAP_INFORMATION 862 { 863 union 864 { 865 struct 866 { 867 HANDLE DirectoryHandle; 868 } Set; 869 struct 870 { 871 ULONG DriveMap; 872 UCHAR DriveType[32]; 873 } Query; 874 }; 875 } PROCESS_DEVICEMAP_INFORMATION, *PPROCESS_DEVICEMAP_INFORMATION; 876 877 typedef struct _KERNEL_USER_TIMES 878 { 879 LARGE_INTEGER CreateTime; 880 LARGE_INTEGER ExitTime; 881 LARGE_INTEGER KernelTime; 882 LARGE_INTEGER UserTime; 883 } KERNEL_USER_TIMES, *PKERNEL_USER_TIMES; 884 885 typedef struct _POOLED_USAGE_AND_LIMITS 886 { 887 SIZE_T PeakPagedPoolUsage; 888 SIZE_T PagedPoolUsage; 889 SIZE_T PagedPoolLimit; 890 SIZE_T PeakNonPagedPoolUsage; 891 SIZE_T NonPagedPoolUsage; 892 SIZE_T NonPagedPoolLimit; 893 SIZE_T PeakPagefileUsage; 894 SIZE_T PagefileUsage; 895 SIZE_T PagefileLimit; 896 } POOLED_USAGE_AND_LIMITS, *PPOOLED_USAGE_AND_LIMITS; 897 898 typedef struct _PROCESS_SESSION_INFORMATION 899 { 900 ULONG SessionId; 901 } PROCESS_SESSION_INFORMATION, *PPROCESS_SESSION_INFORMATION; 902 903 #endif 904 905 typedef struct _PROCESS_PRIORITY_CLASS 906 { 907 BOOLEAN Foreground; 908 UCHAR PriorityClass; 909 } PROCESS_PRIORITY_CLASS, *PPROCESS_PRIORITY_CLASS; 910 911 typedef struct _PROCESS_FOREGROUND_BACKGROUND 912 { 913 BOOLEAN Foreground; 914 } PROCESS_FOREGROUND_BACKGROUND, *PPROCESS_FOREGROUND_BACKGROUND; 915 916 // 917 // Apphelp SHIM Cache 918 // 919 typedef enum _APPHELPCACHESERVICECLASS 920 { 921 ApphelpCacheServiceLookup = 0, 922 ApphelpCacheServiceRemove = 1, 923 ApphelpCacheServiceUpdate = 2, 924 ApphelpCacheServiceFlush = 3, 925 ApphelpCacheServiceDump = 4, 926 927 ApphelpDBGReadRegistry = 0x100, 928 ApphelpDBGWriteRegistry = 0x101, 929 } APPHELPCACHESERVICECLASS; 930 931 932 typedef struct _APPHELP_CACHE_SERVICE_LOOKUP 933 { 934 UNICODE_STRING ImageName; 935 HANDLE ImageHandle; 936 } APPHELP_CACHE_SERVICE_LOOKUP, *PAPPHELP_CACHE_SERVICE_LOOKUP; 937 938 939 // 940 // Thread Information Structures for NtQueryProcessInformation 941 // 942 typedef struct _THREAD_BASIC_INFORMATION 943 { 944 NTSTATUS ExitStatus; 945 PVOID TebBaseAddress; 946 CLIENT_ID ClientId; 947 KAFFINITY AffinityMask; 948 KPRIORITY Priority; 949 KPRIORITY BasePriority; 950 } THREAD_BASIC_INFORMATION, *PTHREAD_BASIC_INFORMATION; 951 952 #ifndef NTOS_MODE_USER 953 954 // 955 // Job Set Array 956 // 957 typedef struct _JOB_SET_ARRAY 958 { 959 HANDLE JobHandle; 960 ULONG MemberLevel; 961 ULONG Flags; 962 } JOB_SET_ARRAY, *PJOB_SET_ARRAY; 963 964 // 965 // EPROCESS Quota Structures 966 // 967 typedef struct _EPROCESS_QUOTA_ENTRY 968 { 969 SIZE_T Usage; 970 SIZE_T Limit; 971 SIZE_T Peak; 972 SIZE_T Return; 973 } EPROCESS_QUOTA_ENTRY, *PEPROCESS_QUOTA_ENTRY; 974 975 typedef struct _EPROCESS_QUOTA_BLOCK 976 { 977 EPROCESS_QUOTA_ENTRY QuotaEntry[3]; 978 LIST_ENTRY QuotaList; 979 ULONG ReferenceCount; 980 ULONG ProcessCount; 981 } EPROCESS_QUOTA_BLOCK, *PEPROCESS_QUOTA_BLOCK; 982 983 // 984 // Process Pagefault History 985 // 986 typedef struct _PAGEFAULT_HISTORY 987 { 988 ULONG CurrentIndex; 989 ULONG MapIndex; 990 KSPIN_LOCK SpinLock; 991 PVOID Reserved; 992 PROCESS_WS_WATCH_INFORMATION WatchInfo[1]; 993 } PAGEFAULT_HISTORY, *PPAGEFAULT_HISTORY; 994 995 // 996 // Process Impersonation Information 997 // 998 typedef struct _PS_IMPERSONATION_INFORMATION 999 { 1000 PACCESS_TOKEN Token; 1001 BOOLEAN CopyOnOpen; 1002 BOOLEAN EffectiveOnly; 1003 SECURITY_IMPERSONATION_LEVEL ImpersonationLevel; 1004 } PS_IMPERSONATION_INFORMATION, *PPS_IMPERSONATION_INFORMATION; 1005 1006 // 1007 // Process Termination Port 1008 // 1009 typedef struct _TERMINATION_PORT 1010 { 1011 struct _TERMINATION_PORT *Next; 1012 PVOID Port; 1013 } TERMINATION_PORT, *PTERMINATION_PORT; 1014 1015 // 1016 // Per-Process APC Rate Limiting 1017 // 1018 typedef struct _PSP_RATE_APC 1019 { 1020 union 1021 { 1022 SINGLE_LIST_ENTRY NextApc; 1023 ULONGLONG ExcessCycles; 1024 }; 1025 ULONGLONG TargetGEneration; 1026 KAPC RateApc; 1027 } PSP_RATE_APC, *PPSP_RATE_APC; 1028 1029 // 1030 // Executive Thread (ETHREAD) 1031 // 1032 typedef struct _ETHREAD 1033 { 1034 KTHREAD Tcb; 1035 LARGE_INTEGER CreateTime; 1036 union 1037 { 1038 LARGE_INTEGER ExitTime; 1039 LIST_ENTRY LpcReplyChain; 1040 LIST_ENTRY KeyedWaitChain; 1041 }; 1042 union 1043 { 1044 NTSTATUS ExitStatus; 1045 PVOID OfsChain; 1046 }; 1047 LIST_ENTRY PostBlockList; 1048 union 1049 { 1050 struct _TERMINATION_PORT *TerminationPort; 1051 struct _ETHREAD *ReaperLink; 1052 PVOID KeyedWaitValue; 1053 #if (NTDDI_VERSION >= NTDDI_LONGHORN) 1054 PVOID Win32StartParameter; 1055 #endif 1056 }; 1057 KSPIN_LOCK ActiveTimerListLock; 1058 LIST_ENTRY ActiveTimerListHead; 1059 CLIENT_ID Cid; 1060 #if (NTDDI_VERSION >= NTDDI_LONGHORN) 1061 KSEMAPHORE KeyedWaitSemaphore; 1062 #else 1063 union 1064 { 1065 KSEMAPHORE LpcReplySemaphore; 1066 KSEMAPHORE KeyedWaitSemaphore; 1067 }; 1068 union 1069 { 1070 PVOID LpcReplyMessage; 1071 PVOID LpcWaitingOnPort; 1072 }; 1073 #endif 1074 PPS_IMPERSONATION_INFORMATION ImpersonationInfo; 1075 LIST_ENTRY IrpList; 1076 ULONG_PTR TopLevelIrp; 1077 PDEVICE_OBJECT DeviceToVerify; 1078 #if (NTDDI_VERSION >= NTDDI_LONGHORN) 1079 PPSP_RATE_APC RateControlApc; 1080 #else 1081 struct _EPROCESS *ThreadsProcess; 1082 #endif 1083 PVOID Win32StartAddress; 1084 union 1085 { 1086 PKSTART_ROUTINE StartAddress; 1087 ULONG LpcReceivedMessageId; 1088 }; 1089 LIST_ENTRY ThreadListEntry; 1090 EX_RUNDOWN_REF RundownProtect; 1091 EX_PUSH_LOCK ThreadLock; 1092 #if (NTDDI_VERSION < NTDDI_LONGHORN) 1093 ULONG LpcReplyMessageId; 1094 #endif 1095 ULONG ReadClusterSize; 1096 #if (NTDDI_VERSION >= NTDDI_LONGHORN) 1097 ULONG SpareUlong0; 1098 #else 1099 ACCESS_MASK GrantedAccess; 1100 #endif 1101 union 1102 { 1103 struct 1104 { 1105 ULONG Terminated:1; 1106 #if (NTDDI_VERSION >= NTDDI_LONGHORN) 1107 ULONG ThreadInserted:1; 1108 #else 1109 ULONG DeadThread:1; 1110 #endif 1111 ULONG HideFromDebugger:1; 1112 ULONG ActiveImpersonationInfo:1; 1113 ULONG SystemThread:1; 1114 ULONG HardErrorsAreDisabled:1; 1115 ULONG BreakOnTermination:1; 1116 ULONG SkipCreationMsg:1; 1117 ULONG SkipTerminationMsg:1; 1118 #if (NTDDI_VERSION >= NTDDI_LONGHORN) 1119 ULONG CreateMsgSent:1; 1120 ULONG ThreadIoPriority:3; 1121 ULONG ThreadPagePriority:3; 1122 ULONG PendingRatecontrol:1; 1123 #endif 1124 }; 1125 ULONG CrossThreadFlags; 1126 }; 1127 union 1128 { 1129 struct 1130 { 1131 ULONG ActiveExWorker:1; 1132 ULONG ExWorkerCanWaitUser:1; 1133 ULONG MemoryMaker:1; 1134 ULONG KeyedEventInUse:1; 1135 #if (NTDDI_VERSION >= NTDDI_LONGHORN) 1136 ULONG RateApcState:2; 1137 #endif 1138 }; 1139 ULONG SameThreadPassiveFlags; 1140 }; 1141 union 1142 { 1143 struct 1144 { 1145 ULONG LpcReceivedMsgIdValid:1; 1146 ULONG LpcExitThreadCalled:1; 1147 #if (NTDDI_VERSION >= NTDDI_LONGHORN) 1148 ULONG Spare:1; 1149 #else 1150 ULONG AddressSpaceOwner:1; 1151 #endif 1152 ULONG OwnsProcessWorkingSetExclusive:1; 1153 ULONG OwnsProcessWorkingSetShared:1; 1154 ULONG OwnsSystemWorkingSetExclusive:1; 1155 ULONG OwnsSystemWorkingSetShared:1; 1156 ULONG OwnsSessionWorkingSetExclusive:1; 1157 ULONG OwnsSessionWorkingSetShared:1; 1158 #if (NTDDI_VERSION >= NTDDI_LONGHORN) 1159 ULONG SuppressSymbolLoad:1; 1160 ULONG Spare1:3; 1161 ULONG PriorityRegionActive:4; 1162 #else 1163 ULONG ApcNeeded:1; 1164 #endif 1165 }; 1166 ULONG SameThreadApcFlags; 1167 }; 1168 #if (NTDDI_VERSION >= NTDDI_LONGHORN) 1169 UCHAR CacheManagerActive; 1170 #else 1171 UCHAR ForwardClusterOnly; 1172 #endif 1173 UCHAR DisablePageFaultClustering; 1174 UCHAR ActiveFaultCount; 1175 #if (NTDDI_VERSION >= NTDDI_LONGHORN) 1176 ULONG AlpcMessageId; 1177 union 1178 { 1179 PVOID AlpcMessage; 1180 ULONG AlpcReceiveAttributeSet; 1181 }; 1182 LIST_ENTRY AlpcWaitListEntry; 1183 KSEMAPHORE AlpcWaitSemaphore; 1184 ULONG CacheManagerCount; 1185 #endif 1186 } ETHREAD; 1187 1188 // 1189 // Executive Process (EPROCESS) 1190 // 1191 typedef struct _EPROCESS 1192 { 1193 KPROCESS Pcb; 1194 EX_PUSH_LOCK ProcessLock; 1195 LARGE_INTEGER CreateTime; 1196 LARGE_INTEGER ExitTime; 1197 EX_RUNDOWN_REF RundownProtect; 1198 HANDLE UniqueProcessId; 1199 LIST_ENTRY ActiveProcessLinks; 1200 SIZE_T QuotaUsage[3]; /* 0=PagedPool, 1=NonPagedPool, 2=Pagefile */ 1201 SIZE_T QuotaPeak[3]; /* ditto */ 1202 SIZE_T CommitCharge; 1203 SIZE_T PeakVirtualSize; 1204 SIZE_T VirtualSize; 1205 LIST_ENTRY SessionProcessLinks; 1206 PVOID DebugPort; 1207 #if (NTDDI_VERSION >= NTDDI_LONGHORN) 1208 union 1209 { 1210 PVOID ExceptionPortData; 1211 ULONG ExceptionPortValue; 1212 UCHAR ExceptionPortState:3; 1213 }; 1214 #else 1215 PVOID ExceptionPort; 1216 #endif 1217 PHANDLE_TABLE ObjectTable; 1218 EX_FAST_REF Token; 1219 PFN_NUMBER WorkingSetPage; 1220 #if (NTDDI_VERSION >= NTDDI_LONGHORN) 1221 EX_PUSH_LOCK AddressCreationLock; 1222 PETHREAD RotateInProgress; 1223 #else 1224 KGUARDED_MUTEX AddressCreationLock; 1225 KSPIN_LOCK HyperSpaceLock; 1226 #endif 1227 PETHREAD ForkInProgress; 1228 ULONG_PTR HardwareTrigger; 1229 PMM_AVL_TABLE PhysicalVadRoot; 1230 PVOID CloneRoot; 1231 PFN_NUMBER NumberOfPrivatePages; 1232 PFN_NUMBER NumberOfLockedPages; 1233 PVOID *Win32Process; 1234 struct _EJOB *Job; 1235 PVOID SectionObject; 1236 PVOID SectionBaseAddress; 1237 PEPROCESS_QUOTA_BLOCK QuotaBlock; 1238 PPAGEFAULT_HISTORY WorkingSetWatch; 1239 PVOID Win32WindowStation; 1240 HANDLE InheritedFromUniqueProcessId; 1241 PVOID LdtInformation; 1242 PVOID VadFreeHint; 1243 PVOID VdmObjects; 1244 PVOID DeviceMap; 1245 #if (NTDDI_VERSION >= NTDDI_LONGHORN) 1246 PVOID EtwDataSource; 1247 PVOID FreeTebHint; 1248 #else 1249 PVOID Spare0[3]; 1250 #endif 1251 union 1252 { 1253 HARDWARE_PTE PageDirectoryPte; 1254 ULONGLONG Filler; 1255 }; 1256 PVOID Session; 1257 CHAR ImageFileName[16]; 1258 LIST_ENTRY JobLinks; 1259 PVOID LockedPagesList; 1260 LIST_ENTRY ThreadListHead; 1261 PVOID SecurityPort; 1262 #ifdef _M_AMD64 1263 struct _WOW64_PROCESS *Wow64Process; 1264 #else 1265 PVOID PaeTop; 1266 #endif 1267 ULONG ActiveThreads; 1268 #if (NTDDI_VERSION >= NTDDI_LONGHORN) 1269 ULONG ImagePathHash; 1270 #else 1271 ACCESS_MASK GrantedAccess; 1272 #endif 1273 ULONG DefaultHardErrorProcessing; 1274 NTSTATUS LastThreadExitStatus; 1275 struct _PEB* Peb; 1276 EX_FAST_REF PrefetchTrace; 1277 LARGE_INTEGER ReadOperationCount; 1278 LARGE_INTEGER WriteOperationCount; 1279 LARGE_INTEGER OtherOperationCount; 1280 LARGE_INTEGER ReadTransferCount; 1281 LARGE_INTEGER WriteTransferCount; 1282 LARGE_INTEGER OtherTransferCount; 1283 SIZE_T CommitChargeLimit; 1284 SIZE_T CommitChargePeak; 1285 PVOID AweInfo; 1286 SE_AUDIT_PROCESS_CREATION_INFO SeAuditProcessCreationInfo; 1287 MMSUPPORT Vm; 1288 #ifdef _M_AMD64 1289 ULONG Spares[2]; 1290 #else 1291 LIST_ENTRY MmProcessLinks; 1292 #endif 1293 ULONG ModifiedPageCount; 1294 #if (NTDDI_VERSION >= NTDDI_LONGHORN) 1295 union 1296 { 1297 struct 1298 { 1299 ULONG JobNotReallyActive:1; 1300 ULONG AccountingFolded:1; 1301 ULONG NewProcessReported:1; 1302 ULONG ExitProcessReported:1; 1303 ULONG ReportCommitChanges:1; 1304 ULONG LastReportMemory:1; 1305 ULONG ReportPhysicalPageChanges:1; 1306 ULONG HandleTableRundown:1; 1307 ULONG NeedsHandleRundown:1; 1308 ULONG RefTraceEnabled:1; 1309 ULONG NumaAware:1; 1310 ULONG ProtectedProcess:1; 1311 ULONG DefaultPagePriority:3; 1312 ULONG ProcessDeleteSelf:1; 1313 ULONG ProcessVerifierTarget:1; 1314 }; 1315 ULONG Flags2; 1316 }; 1317 #else 1318 ULONG JobStatus; 1319 #endif 1320 union 1321 { 1322 struct 1323 { 1324 ULONG CreateReported:1; 1325 ULONG NoDebugInherit:1; 1326 ULONG ProcessExiting:1; 1327 ULONG ProcessDelete:1; 1328 ULONG Wow64SplitPages:1; 1329 ULONG VmDeleted:1; 1330 ULONG OutswapEnabled:1; 1331 ULONG Outswapped:1; 1332 ULONG ForkFailed:1; 1333 ULONG Wow64VaSpace4Gb:1; 1334 ULONG AddressSpaceInitialized:2; 1335 ULONG SetTimerResolution:1; 1336 ULONG BreakOnTermination:1; 1337 #if (NTDDI_VERSION >= NTDDI_LONGHORN) 1338 ULONG DeprioritizeViews:1; 1339 #else 1340 ULONG SessionCreationUnderway:1; 1341 #endif 1342 ULONG WriteWatch:1; 1343 ULONG ProcessInSession:1; 1344 ULONG OverrideAddressSpace:1; 1345 ULONG HasAddressSpace:1; 1346 ULONG LaunchPrefetched:1; 1347 ULONG InjectInpageErrors:1; 1348 ULONG VmTopDown:1; 1349 ULONG ImageNotifyDone:1; 1350 ULONG PdeUpdateNeeded:1; 1351 ULONG VdmAllowed:1; 1352 ULONG SmapAllowed:1; 1353 #if (NTDDI_VERSION >= NTDDI_LONGHORN) 1354 ULONG ProcessInserted:1; 1355 #else 1356 ULONG CreateFailed:1; 1357 #endif 1358 ULONG DefaultIoPriority:3; 1359 #if (NTDDI_VERSION >= NTDDI_LONGHORN) 1360 ULONG SparePsFlags1:2; 1361 #else 1362 ULONG Spare1:1; 1363 ULONG Spare2:1; 1364 #endif 1365 }; 1366 ULONG Flags; 1367 }; 1368 NTSTATUS ExitStatus; 1369 #if (NTDDI_VERSION >= NTDDI_LONGHORN) 1370 USHORT Spare7; 1371 #else 1372 USHORT NextPageColor; 1373 #endif 1374 union 1375 { 1376 struct 1377 { 1378 UCHAR SubSystemMinorVersion; 1379 UCHAR SubSystemMajorVersion; 1380 }; 1381 USHORT SubSystemVersion; 1382 }; 1383 UCHAR PriorityClass; 1384 MM_AVL_TABLE VadRoot; 1385 ULONG Cookie; 1386 } EPROCESS; 1387 1388 // 1389 // Job Token Filter Data 1390 // 1391 #include <pshpack1.h> 1392 typedef struct _PS_JOB_TOKEN_FILTER 1393 { 1394 ULONG CapturedSidCount; 1395 PSID_AND_ATTRIBUTES CapturedSids; 1396 ULONG CapturedSidsLength; 1397 ULONG CapturedGroupCount; 1398 PSID_AND_ATTRIBUTES CapturedGroups; 1399 ULONG CapturedGroupsLength; 1400 ULONG CapturedPrivilegeCount; 1401 PLUID_AND_ATTRIBUTES CapturedPrivileges; 1402 ULONG CapturedPrivilegesLength; 1403 } PS_JOB_TOKEN_FILTER, *PPS_JOB_TOKEN_FILTER; 1404 1405 // 1406 // Executive Job (EJOB) 1407 // 1408 typedef struct _EJOB 1409 { 1410 KEVENT Event; 1411 LIST_ENTRY JobLinks; 1412 LIST_ENTRY ProcessListHead; 1413 ERESOURCE JobLock; 1414 LARGE_INTEGER TotalUserTime; 1415 LARGE_INTEGER TotalKernelTime; 1416 LARGE_INTEGER ThisPeriodTotalUserTime; 1417 LARGE_INTEGER ThisPeriodTotalKernelTime; 1418 ULONG TotalPageFaultCount; 1419 ULONG TotalProcesses; 1420 ULONG ActiveProcesses; 1421 ULONG TotalTerminatedProcesses; 1422 LARGE_INTEGER PerProcessUserTimeLimit; 1423 LARGE_INTEGER PerJobUserTimeLimit; 1424 ULONG LimitFlags; 1425 ULONG MinimumWorkingSetSize; 1426 ULONG MaximumWorkingSetSize; 1427 ULONG ActiveProcessLimit; 1428 ULONG Affinity; 1429 UCHAR PriorityClass; 1430 ULONG UIRestrictionsClass; 1431 ULONG SecurityLimitFlags; 1432 PVOID Token; 1433 PPS_JOB_TOKEN_FILTER Filter; 1434 ULONG EndOfJobTimeAction; 1435 PVOID CompletionPort; 1436 PVOID CompletionKey; 1437 ULONG SessionId; 1438 ULONG SchedulingClass; 1439 ULONGLONG ReadOperationCount; 1440 ULONGLONG WriteOperationCount; 1441 ULONGLONG OtherOperationCount; 1442 ULONGLONG ReadTransferCount; 1443 ULONGLONG WriteTransferCount; 1444 ULONGLONG OtherTransferCount; 1445 IO_COUNTERS IoInfo; 1446 ULONG ProcessMemoryLimit; 1447 ULONG JobMemoryLimit; 1448 ULONG PeakProcessMemoryUsed; 1449 ULONG PeakJobMemoryUsed; 1450 ULONG CurrentJobMemoryUsed; 1451 #if (NTDDI_VERSION >= NTDDI_WINXP) && (NTDDI_VERSION < NTDDI_WS03) 1452 FAST_MUTEX MemoryLimitsLock; 1453 #elif (NTDDI_VERSION >= NTDDI_WS03) && (NTDDI_VERSION < NTDDI_LONGHORN) 1454 KGUARDED_MUTEX MemoryLimitsLock; 1455 #elif (NTDDI_VERSION >= NTDDI_LONGHORN) 1456 EX_PUSH_LOCK MemoryLimitsLock; 1457 #endif 1458 LIST_ENTRY JobSetLinks; 1459 ULONG MemberLevel; 1460 ULONG JobFlags; 1461 } EJOB, *PEJOB; 1462 #include <poppack.h> 1463 1464 // 1465 // Job Information Structures for NtQueryInformationJobObject 1466 // 1467 1468 typedef struct _JOBOBJECT_BASIC_ACCOUNTING_INFORMATION 1469 { 1470 LARGE_INTEGER TotalUserTime; 1471 LARGE_INTEGER TotalKernelTime; 1472 LARGE_INTEGER ThisPeriodTotalUserTime; 1473 LARGE_INTEGER ThisPeriodTotalKernelTime; 1474 ULONG TotalPageFaultCount; 1475 ULONG TotalProcesses; 1476 ULONG ActiveProcesses; 1477 ULONG TotalTerminatedProcesses; 1478 } JOBOBJECT_BASIC_ACCOUNTING_INFORMATION, *PJOBOBJECT_BASIC_ACCOUNTING_INFORMATION; 1479 1480 typedef struct _JOBOBJECT_BASIC_LIMIT_INFORMATION 1481 { 1482 LARGE_INTEGER PerProcessUserTimeLimit; 1483 LARGE_INTEGER PerJobUserTimeLimit; 1484 ULONG LimitFlags; 1485 SIZE_T MinimumWorkingSetSize; 1486 SIZE_T MaximumWorkingSetSize; 1487 ULONG ActiveProcessLimit; 1488 ULONG_PTR Affinity; 1489 ULONG PriorityClass; 1490 ULONG SchedulingClass; 1491 } JOBOBJECT_BASIC_LIMIT_INFORMATION, *PJOBOBJECT_BASIC_LIMIT_INFORMATION; 1492 1493 typedef struct _JOBOBJECT_BASIC_PROCESS_ID_LIST 1494 { 1495 ULONG NumberOfAssignedProcesses; 1496 ULONG NumberOfProcessIdsInList; 1497 ULONG_PTR ProcessIdList[1]; 1498 } JOBOBJECT_BASIC_PROCESS_ID_LIST, *PJOBOBJECT_BASIC_PROCESS_ID_LIST; 1499 1500 typedef struct _JOBOBJECT_BASIC_UI_RESTRICTIONS 1501 { 1502 ULONG UIRestrictionsClass; 1503 } JOBOBJECT_BASIC_UI_RESTRICTIONS, *PJOBOBJECT_BASIC_UI_RESTRICTIONS; 1504 1505 typedef struct _JOBOBJECT_SECURITY_LIMIT_INFORMATION 1506 { 1507 ULONG SecurityLimitFlags; 1508 HANDLE JobToken; 1509 PTOKEN_GROUPS SidsToDisable; 1510 PTOKEN_PRIVILEGES PrivilegesToDelete; 1511 PTOKEN_GROUPS RestrictedSids; 1512 } JOBOBJECT_SECURITY_LIMIT_INFORMATION, *PJOBOBJECT_SECURITY_LIMIT_INFORMATION; 1513 1514 typedef struct _JOBOBJECT_END_OF_JOB_TIME_INFORMATION 1515 { 1516 ULONG EndOfJobTimeAction; 1517 } JOBOBJECT_END_OF_JOB_TIME_INFORMATION, PJOBOBJECT_END_OF_JOB_TIME_INFORMATION; 1518 1519 typedef struct _JOBOBJECT_ASSOCIATE_COMPLETION_PORT 1520 { 1521 PVOID CompletionKey; 1522 HANDLE CompletionPort; 1523 } JOBOBJECT_ASSOCIATE_COMPLETION_PORT, *PJOBOBJECT_ASSOCIATE_COMPLETION_PORT; 1524 1525 typedef struct JOBOBJECT_BASIC_AND_IO_ACCOUNTING_INFORMATION 1526 { 1527 JOBOBJECT_BASIC_ACCOUNTING_INFORMATION BasicInfo; 1528 IO_COUNTERS IoInfo; 1529 } JOBOBJECT_BASIC_AND_IO_ACCOUNTING_INFORMATION, *PJOBOBJECT_BASIC_AND_IO_ACCOUNTING_INFORMATION; 1530 1531 typedef struct _JOBOBJECT_EXTENDED_LIMIT_INFORMATION 1532 { 1533 JOBOBJECT_BASIC_LIMIT_INFORMATION BasicLimitInformation; 1534 IO_COUNTERS IoInfo; 1535 SIZE_T ProcessMemoryLimit; 1536 SIZE_T JobMemoryLimit; 1537 SIZE_T PeakProcessMemoryUsed; 1538 SIZE_T PeakJobMemoryUsed; 1539 } JOBOBJECT_EXTENDED_LIMIT_INFORMATION, *PJOBOBJECT_EXTENDED_LIMIT_INFORMATION; 1540 1541 1542 // 1543 // Win32K Callback Registration Data 1544 // 1545 typedef struct _WIN32_POWEREVENT_PARAMETERS 1546 { 1547 PSPOWEREVENTTYPE EventNumber; 1548 ULONG Code; 1549 } WIN32_POWEREVENT_PARAMETERS, *PWIN32_POWEREVENT_PARAMETERS; 1550 1551 typedef struct _WIN32_POWERSTATE_PARAMETERS 1552 { 1553 UCHAR Promotion; 1554 POWER_ACTION SystemAction; 1555 SYSTEM_POWER_STATE MinSystemState; 1556 ULONG Flags; 1557 POWERSTATETASK PowerStateTask; 1558 } WIN32_POWERSTATE_PARAMETERS, *PWIN32_POWERSTATE_PARAMETERS; 1559 1560 typedef struct _WIN32_JOBCALLOUT_PARAMETERS 1561 { 1562 PVOID Job; 1563 PSW32JOBCALLOUTTYPE CalloutType; 1564 PVOID Data; 1565 } WIN32_JOBCALLOUT_PARAMETERS, *PWIN32_JOBCALLOUT_PARAMETERS; 1566 1567 typedef struct _WIN32_OPENMETHOD_PARAMETERS 1568 { 1569 OB_OPEN_REASON OpenReason; 1570 PEPROCESS Process; 1571 PVOID Object; 1572 ULONG GrantedAccess; 1573 ULONG HandleCount; 1574 } WIN32_OPENMETHOD_PARAMETERS, *PWIN32_OPENMETHOD_PARAMETERS; 1575 1576 typedef struct _WIN32_OKAYTOCLOSEMETHOD_PARAMETERS 1577 { 1578 PEPROCESS Process; 1579 PVOID Object; 1580 HANDLE Handle; 1581 KPROCESSOR_MODE PreviousMode; 1582 } WIN32_OKAYTOCLOSEMETHOD_PARAMETERS, *PWIN32_OKAYTOCLOSEMETHOD_PARAMETERS; 1583 1584 typedef struct _WIN32_CLOSEMETHOD_PARAMETERS 1585 { 1586 PEPROCESS Process; 1587 PVOID Object; 1588 ACCESS_MASK AccessMask; 1589 ULONG ProcessHandleCount; 1590 ULONG SystemHandleCount; 1591 } WIN32_CLOSEMETHOD_PARAMETERS, *PWIN32_CLOSEMETHOD_PARAMETERS; 1592 1593 typedef struct _WIN32_DELETEMETHOD_PARAMETERS 1594 { 1595 PVOID Object; 1596 } WIN32_DELETEMETHOD_PARAMETERS, *PWIN32_DELETEMETHOD_PARAMETERS; 1597 1598 typedef struct _WIN32_PARSEMETHOD_PARAMETERS 1599 { 1600 PVOID ParseObject; 1601 PVOID ObjectType; 1602 PACCESS_STATE AccessState; 1603 KPROCESSOR_MODE AccessMode; 1604 ULONG Attributes; 1605 _Out_ PUNICODE_STRING CompleteName; 1606 PUNICODE_STRING RemainingName; 1607 PVOID Context; 1608 PSECURITY_QUALITY_OF_SERVICE SecurityQos; 1609 PVOID *Object; 1610 } WIN32_PARSEMETHOD_PARAMETERS, *PWIN32_PARSEMETHOD_PARAMETERS; 1611 1612 typedef struct _WIN32_CALLOUTS_FPNS 1613 { 1614 PKWIN32_PROCESS_CALLOUT ProcessCallout; 1615 PKWIN32_THREAD_CALLOUT ThreadCallout; 1616 PKWIN32_GLOBALATOMTABLE_CALLOUT GlobalAtomTableCallout; 1617 PKWIN32_POWEREVENT_CALLOUT PowerEventCallout; 1618 PKWIN32_POWERSTATE_CALLOUT PowerStateCallout; 1619 PKWIN32_JOB_CALLOUT JobCallout; 1620 PGDI_BATCHFLUSH_ROUTINE BatchFlushRoutine; 1621 PKWIN32_SESSION_CALLOUT DesktopOpenProcedure; 1622 PKWIN32_SESSION_CALLOUT DesktopOkToCloseProcedure; 1623 PKWIN32_SESSION_CALLOUT DesktopCloseProcedure; 1624 PKWIN32_SESSION_CALLOUT DesktopDeleteProcedure; 1625 PKWIN32_SESSION_CALLOUT WindowStationOkToCloseProcedure; 1626 PKWIN32_SESSION_CALLOUT WindowStationCloseProcedure; 1627 PKWIN32_SESSION_CALLOUT WindowStationDeleteProcedure; 1628 PKWIN32_SESSION_CALLOUT WindowStationParseProcedure; 1629 PKWIN32_SESSION_CALLOUT WindowStationOpenProcedure; 1630 #if (NTDDI_VERSION >= NTDDI_LONGHORN) 1631 PKWIN32_WIN32DATACOLLECTION_CALLOUT Win32DataCollectionProcedure; 1632 #endif 1633 } WIN32_CALLOUTS_FPNS, *PWIN32_CALLOUTS_FPNS; 1634 1635 #endif // !NTOS_MODE_USER 1636 1637 #ifdef __cplusplus 1638 }; // extern "C" 1639 #endif 1640 1641 #endif // _PSTYPES_H 1642